PennWell Dental Community
Hot News - FTC issues final rule on breaches
I posted the following news from the event horizon on the TDA’s Facebook. On other venues I’ve titled this kind of scoop “Hot Damn News.” I bowed to decorum since the TDA Facebook is a professional Website. See. I’m erudite.
------------------------------------
Hot-Dang News
FTC issues final rule on breach notification.
Many times in the past, I have broken dentistry-related news to my colleagues weeks, months and even years before the ADA News Online posted the ADA version of even feel-good topics the ADA considers safe to share with membership. For those who have followed me, you know that the ADA’s favorite topics don’t include most HIPAA or FTC-related news events. The ADA hardly reports about these at all. They became an embarrassment to our leadership long ago.
Please bear with me, because I’m still trying to make sense of the FTC’s final rule that was announced yesterday - which only awaits publication in the final register to become law. Like HHS’ forthcoming rule concerning HIPAA, the FTC’s covers a variety of data breaches including PHRs. Both rules were mandated under the American Recovery and Reinvestment Act as described in a very huge pile of paper that Congress quickly voted for a while back without reading. Last night, I found an early article about the FTC’s rule.
http://www.healthdatamanagement.com/news/PHR-38824-1.html
It appears that if a dentist is a HIPAA-covered entity, he or she won’t be fined by the FTC following an inspection brought about by a breach. HHS is taking over sole responsibility for that job. That’s good news, I guess. However, HHS fines are arguably moot if a breach occurs in a dentist’s office. Even if one follows the letter of the law, self-reporting a burglary could easily bankrupt a dentist. And what if it happens a second time? Some neighborhoods are like that.
From what I have gathered so far, the FTC, like the CMS a few weeks ago, is ceding breach jurisdiction of dentists’ offices to the HHS. However, I assume the Red Flags Rule still applies following only a couple more delays. But I am not entirely certain. In fact, I don’t even know if the news I am depending on from HealthDataManagement is itself reliable. Wouldn’t it be nice for those reading my report to enjoy real-time correction of rookie mistakes I am provably capable of making? We pay money to the ADA to keep us informed. Where are they? Why can’t the TDA Facebook be wiki?
The article, with no byline, is titled “FTC’s PHR Rule = Confusion.” The author clearly states that providers are not targeted by the new rule. “The rule does not apply to HIPAA-covered entities; the Department of Health and Human Services is writing separate rules governing the reporting of data breaches for these entities.” My bet is, HHS’ surprise won’t be good news for dentists. It never is.
Here is an excerpt from the article which explains that the FTC’s final rule applies to business associates rather than providers, yet it could still destroy innocent dentists’ reputations in their communities.
“Business associates of HIPAA-covered entities, which will be covered under HHS' breach notification rule, also in some circumstances could fall under FTC's rule. ‘If they experience a beach, they could be required to provide direct breach notification to their individual customers under the FTC's rule,’ the final rule states. ‘At the same time, under HHS' rule, they could be required to notify HIPAA-covered entities to whom they provide services, so that the HIPAA-covered entities could in turn notify individuals. In some cases, as discussed further below, this potential overlap could lead to consumers' receiving multiple notices for the same breach.’"
This means that if a dentist uses a business associate such as Google Health, Microsoft’s HealthVault, or even an off-site digital records company which stores patients’ information, if such an FTC-covered business associate suffers a breach, the dentist will still have to notify patients, possible for the second time. If the negligent business associate fumbled more than 500 of the dentists’ patients’ information, local media must be notified. This means that if someone loses a laptop in New York, it could bankrupt a dental practice in Texas.
Here’s the big picture as I see it: ARRA makes the FTC the enforcer of security outside the walls of doctors’ offices while the HHS enforces HIPAA within. It’s sort of like the CIA’s jurisdiction compared to the FBI’s. For innocent dentists, it can still mean double jeopardy on a couple of levels.
(Note: I know very little about the reputation of the source, HealthData Management, but it appears to be an established Website.)
D. Kellus Pruitt DDS
------------------------------------
Hot-Dang News
FTC issues final rule on breach notification.
Many times in the past, I have broken dentistry-related news to my colleagues weeks, months and even years before the ADA News Online posted the ADA version of even feel-good topics the ADA considers safe to share with membership. For those who have followed me, you know that the ADA’s favorite topics don’t include most HIPAA or FTC-related news events. The ADA hardly reports about these at all. They became an embarrassment to our leadership long ago.
Please bear with me, because I’m still trying to make sense of the FTC’s final rule that was announced yesterday - which only awaits publication in the final register to become law. Like HHS’ forthcoming rule concerning HIPAA, the FTC’s covers a variety of data breaches including PHRs. Both rules were mandated under the American Recovery and Reinvestment Act as described in a very huge pile of paper that Congress quickly voted for a while back without reading. Last night, I found an early article about the FTC’s rule.
http://www.healthdatamanagement.com/news/PHR-38824-1.html
It appears that if a dentist is a HIPAA-covered entity, he or she won’t be fined by the FTC following an inspection brought about by a breach. HHS is taking over sole responsibility for that job. That’s good news, I guess. However, HHS fines are arguably moot if a breach occurs in a dentist’s office. Even if one follows the letter of the law, self-reporting a burglary could easily bankrupt a dentist. And what if it happens a second time? Some neighborhoods are like that.
From what I have gathered so far, the FTC, like the CMS a few weeks ago, is ceding breach jurisdiction of dentists’ offices to the HHS. However, I assume the Red Flags Rule still applies following only a couple more delays. But I am not entirely certain. In fact, I don’t even know if the news I am depending on from HealthDataManagement is itself reliable. Wouldn’t it be nice for those reading my report to enjoy real-time correction of rookie mistakes I am provably capable of making? We pay money to the ADA to keep us informed. Where are they? Why can’t the TDA Facebook be wiki?
The article, with no byline, is titled “FTC’s PHR Rule = Confusion.” The author clearly states that providers are not targeted by the new rule. “The rule does not apply to HIPAA-covered entities; the Department of Health and Human Services is writing separate rules governing the reporting of data breaches for these entities.” My bet is, HHS’ surprise won’t be good news for dentists. It never is.
Here is an excerpt from the article which explains that the FTC’s final rule applies to business associates rather than providers, yet it could still destroy innocent dentists’ reputations in their communities.
“Business associates of HIPAA-covered entities, which will be covered under HHS' breach notification rule, also in some circumstances could fall under FTC's rule. ‘If they experience a beach, they could be required to provide direct breach notification to their individual customers under the FTC's rule,’ the final rule states. ‘At the same time, under HHS' rule, they could be required to notify HIPAA-covered entities to whom they provide services, so that the HIPAA-covered entities could in turn notify individuals. In some cases, as discussed further below, this potential overlap could lead to consumers' receiving multiple notices for the same breach.’"
This means that if a dentist uses a business associate such as Google Health, Microsoft’s HealthVault, or even an off-site digital records company which stores patients’ information, if such an FTC-covered business associate suffers a breach, the dentist will still have to notify patients, possible for the second time. If the negligent business associate fumbled more than 500 of the dentists’ patients’ information, local media must be notified. This means that if someone loses a laptop in New York, it could bankrupt a dental practice in Texas.
Here’s the big picture as I see it: ARRA makes the FTC the enforcer of security outside the walls of doctors’ offices while the HHS enforces HIPAA within. It’s sort of like the CIA’s jurisdiction compared to the FBI’s. For innocent dentists, it can still mean double jeopardy on a couple of levels.
(Note: I know very little about the reputation of the source, HealthData Management, but it appears to be an established Website.)
D. Kellus Pruitt DDS
Videos
-
Attack of the biofilm!
Added by Kevin Henry
-
-
-
-
The Backteeth Boys -- O.H.I.
Added by Kevin Henry
Pruitt's Platform
General dentist in Fort Worth, Texas. I surround myself with the most wonderful staff and the kindest patients in the nation. It is our mutual confidence and respect that grants me the freedom to stand nose-to-nose with anyone in the marketplace. I’m blessed. And I like to write.
Badge
© 2010 Created by Admin.
